Topic: Invalid users get in!

[Daniel]

Gudday,

Running a new setup of e-smith 4.1.2 as a domain controller with '95 clients I was surprised to discover that the windows 95 PCs can log in using any credentials you like (eg user hblbj pwd klrjerjk) and still get the login script to run!

They also had the same priveliges as the "everyone" group (fir enough I suppose) so I have dumped everyone into a group called "validusers" so now a random username can't access ibays.

In this situation with an NT PDC one cannot login, and so can't access LAN shares (but of course you still get IP traffic even if you cancel the login).

Is this by design or did I do something wrong?

Is it perhaps a client config problem (but I can't see how, the clients are pretty straight forward..)

Please Help!

[Les Mikesell]

You might want to upgrade to 5.1.2.  The the way unknown users are handled by the samba server appears to have changed and 'everyone' now doesn't really mean everyone.  (This broke a few things for me...).

[Sean Stratton]

OK i'm new to the SME thing, but a win98 client can run poledit and set confirm login with domain controler, thats how you stop it on NT. I am just about to pull my config.pol script from my old NT server an try dumping it in the netlogon folder to restore some features if you want I can let you know how I get on.

Sean

[Rich Lafferty]

Daniel,

As you've observed, in e-smith server and gateway 4.1.2, "everyone" means
exactly that -- non-users get access to public shares, and will be able
to see (but not read) inaccessible shares in the network browser.

The current version of SME Server behaves as you expect, with "everyone"
meaning "everyone with an account". You may wish to upgrade if you would
prefer that behaviour.

In future, please submit potential security problems to security@e-smith.com
rather than posting in the forums; that ensures that potential vulnerabilities
are triaged by those who know the software intimately, such that other users
aren't either exposed to a publicized vulnerability prior to the preparation
of a fix, or scared unnecessarily by a reported vulnerability that isn't.

Thanks,

Rich Lafferty
Network Server Solutions Group
Mitel Networks

[Les Mikesell]

Rich Lafferty wrote:
>
> The current version of SME Server behaves as you expect, with
> "everyone"
> meaning "everyone with an account". You may wish to upgrade
> if you would
> prefer that behaviour.

Actually it means only 'everyone with an account on this particular server' which can be a pretty drastic change in a larger network.    Is there a way short of modified templates to restore guest access to public shares?

[Rich Lafferty]

Not short of custom templates, no.

--Rich